Data centers generally support the storage, processing, and transmission of data. Those data are potentially vulnerable to theft and misappropriation. As a result, a series of audits, certifications, and reports have been created to build best practices and reduce attack vulnerabilities. While many global industries ascribe and follow many different audits, certifications, and reports, some of the most well-known in the United States include SOC, ISO, PCI and HIPAA.
Data center users or owners of the storage, processing or transmission process may be required to complete such audits or certifications on an annual basis. Consequently, if such users lease data center services from an outsourced colocation company like H5 Data Centers, the users may require the data center provider to also be audited or certified, or at a minimum aid the data user in the completion of such audits and certifications. Even if the data center provider does not actually have anything to do with the data an end user may store on their computer hardware, a data center provider is very likely involved in the physical protection of such hardware equipment.
A Service Organization Controls (SOC) report is designed to help service organizations that operate information systems and provide information system services to other entities build trust and confidence in their service delivery processes and controls. The report is typically completed annually by an independent Certified Public Accountant (CPA) and includes a detailed description of tests of controls performed by the CPA and results of the tests. There are several types of SOC reports - SOC 1, SOC 2 and SOC 3.
A SOC 1 report performs critical risk assessment procedures and tests the related control objectives on financial reporting and it can be a Type 1 or Type 2 report. A SOC 1 Type 1 report tests achievement of control objectives on a specific date, while the SOC 1 Type 2 report adds design and testing of the controls over a period of time. Providing a reliable tool for data end users and their auditors when performing an audit, a SOC 1 report can help data end users readily comply with mandated financial laws and regulations to enhance adherence to corporate responsibilities and combat corporate and accounting fraud relevant to the Sarbanes-Oxley Act of 2002.
A SOC 2 report contains much of the same elements found in a SOC 1, however, it focuses on an organization's non-financial controls such as information systems that are relevant to security, availability, processing integrity, confidentiality or privacy. Like a SOC1, a SOC 2 report can also be either Type 1 or 2. The same concept applies between a Type 1 or a Type 2 - the question is whether the testing is on a specific date or over a period of time, respectively. The SOC 2 report focuses on the Trust Service Principles (TSPs) and serves to educate the user entity about processes that affect its security, availability, processing integrity, confidentiality or privacy of the data.
A SOC 3 report are a short-form report and contain no description of tests of controls and results, and may be used in a service organization's marketing efforts.
Data center users often need or want to comply with audit requests from outside accounting firms, so the results of a SOC report and test can help make those audits run more smoothly. SOC reports communicate, in a standardized method, the resiliency of internal controls whether the report covers financial reporting (SOC 1) or financial and non-financial controls such as security, availability, processing integrity, confidentiality, and/or privacy (SOC 2).
The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Within the 27000 standards family is ISO/IEC 27001 which is known for providing the standard requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive organizational information so that it remains secure. It includes people, processes and IT systems by establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. It helps small, medium and large businesses in any sector keep information assets secure.
Organizations either must comply or voluntarily elect to comply to various regulations regarding data protection, privacy and IT governance. ISO 27001 can bring in the methodology which enables organizations to meet such regulations and standards in an efficient way.
ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). Certification demonstrates that an organization has defined and implemented best-practice policies, procedures, processes, and systems that manage information risks.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle financial transactions of "branded credit cards." The PCI Standard is mandated by such "credit card brands" and administered by the Payment Card Industry Security Standards Council. Created to implement standards for security policies, technologies, and on-going processes, the PCI standard tries to protect payment systems from breaches and theft of cardholder data.
Maintaining payment security is required for essentially all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards, which set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. The PCI Data Security Standard can help defend against cyberattacks aimed at stealing cardholder data.
"PCI" serves the complex global ecosystem of payment cards, including hardware and software developers who create and operate the global infrastructure for processing payments. From customers to merchants, financial institutions, and data centers, the security of cardholder data affects everybody. Traditional outsourced data center and colocation providers, like H5 Data Centers, don't necessarily store payment information on any hardware equipment, however, they are involved in physical processes and standards to reduce and deter the physical taking of hard assets that deal with processing payments.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, is intended to improve the efficiency and effectiveness of the US health care system. HIPAA requires the adoption of national standards for electronic health care transactions and code sets, unique health identifiers, and security resulting from electronic technology that could erode the privacy of health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (as part of American Recovery and Reinvestment Act) modified HIPAA to include business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called Protected Health Information (PHI), while the Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information "electronic Protected Health Information" (e-PHI).
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analyses as part of their security management processes. An ongoing risk analysis process focuses on Security Management Process, Security Personnel, Information Access Management, Workforce Training and Management, as well as periodic Evaluation, Facility Access and Control, Workstation and Device Security, Audit Controls, Integrity Controls, and Transmission Security.
As a business associate and covered entity, a data center user in the health care space must be compliant with applicable national standards of HIPAA to avoid a material breach or violation of its obligation under HIPAA and must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI. The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and laws, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.
Outsourced data center and colocation providers, like H5 Data Centers, typically don't store any e-PHI directly, however, they are involved in physical processes and standards to reduce and deter the physical taking of hard assets that deal with electronic health records and e-PHI.
If you have questions about what audits and certifications H5 Data Centers pursues at any of our data centers, please contact us.